At long last, the US Securities and Exchange Commission (SEC) has adopted a set of cybersecurity rules that had been under consideration since Q1 2022. The broad-based rules effectively formalize as policy a set of cybersecurity best practices governing how financial services organizations protect their operation and report breaches – including a new requirement for companies to report cyber incidents within four days. Now that the regulations have been adopted, let’s take a look at what they mean for alternative investment firms and how ECI is equipping our clients to quickly and effectively comply with the new rules.
Unpacking the New SEC Regulations
The SEC regulations had been pending for a while, as industry groups weighed in and public comments were gathered. With the rules now in effect, organizations must quickly comply with heightened standards for both cybersecurity protection and the prompt reporting of any breaches or incidents, which we touched on in an earlier webinar series.
Specifically, the new SEC rules require companies to report cyber incidents within four days, declare ransomware payments within 24 hours and to submit copies of their annual cyber risk management, strategy and governance reports. The risks of noncompliance are significant and can include fines or more severe penalties such as delisting or decertification to conduct key business activities and transactions.
The final SEC rules made some accommodations to business concerns that arose during the public comment periods, including adding a criticality threshold and an assessment protocol for firms to establish which incidents are significant enough to report. The final rules also include protections against inadvertently disclosing company IP or proprietary processes when reporting incidents. Best of all for many of ECI’s clients, the SEC is giving smaller companies until June 2024 to comply. That said, firms shouldn’t wait around to find the right MSP partner to tackle the substantial to-do list for compliance.
How ECI is Helping Clients Comply with Stronger Regulations
ECI has worked proactively to prepare our clients and give them a running start toward thorough compliance now that the regulations are official. In doing so, we take a holistic and comprehensive approach to help clients establish a strong cybersecurity plan across all stakeholders and systems, from the server room to the board room.
Our process includes proactively mapping out which data is running on which systems; who has access; which data sets are subject to which regulations; and how data is encrypted. This forms the baseline for a Data Loss Prevention (DLP) strategy that is customized to the nature of the firm and its business activities. This strategy is backed up by robust vulnerability management and penetration testing that includes a strong vendor risk management component to cover all third-party risks as well as those within the four walls of the company.
From there, ECI continues to build out a comprehensive governance, risk and compliance (GRC) framework that protects the organization on an ongoing basis, with continuous monitoring of both internal operations and controls, as well as maintaining a consistently compliant environment. Throughout, we facilitate tabletop exercises and other workforce trainings for multiple stakeholders who need to convene around any security gaps or issues.
These efforts are helping alternative investment firms put the newly adopted rules quickly into practice, and they’re useful in establishing the criticality of incidents to determine which ones need to be reported. These are just some of the ways ECI is helping clients quickly satisfy the SEC’s higher compliance bar without slowing down the pace of operations or their growth objectives.
Learn more in ECI’s detailed white paper on how firms can ensure compliance with the latest SEC rules.
